Information Security News |
Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations are located in the TOMCAT_HOME/config directory. ">Now that we know where to look, lets go over the incident. A system was discovered to be compromised so I started our IR process. When looking at the processes running, a process was quickly changing its name and running as root. ">qymasclks 10346 root ">">05:58:38,493137,mac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei.war">Tue Dec 01 2015 05:58:38,69334,.ac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei/a.jsp
">There is a new file eei.war that has been created. Lets take a look at the log files and see what we can get from that time frame. ">#fgrep Dec 01, 2015">INFO: Deployment of web application archive /usr/share/apache-tomcat-7.0.65/webapps/eei.war has finished in 118 ms
">You can see that a new application has been deployed, which means the attacker had access to the Tomcat admin. Let look at the access_logs to see if we can get more detail.
">#fgrep 01/Dec/2015">122.236.51.194 - - [01/Dec/2015:05:58:08 -0500] GET /manager/html HTTP/1.1">[01/Dec/2015:05:58:09 -0500] GET /manager/html HTTP/1.1">122.236.51.194 - admin [01/Dec/2015:05:58:39 -0500] ">?org.apache.catalina.filters.CSRF_NONCE=4C0343589816E985E2010C618944EF5A HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:43 -0500] GET /eei/ HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:45 -0500] POST /eei/ HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:49 -0500] GET /eei/?action=command HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:55 -0500] ">HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:58 -0500] POST /eei/?action=command HTTP/1.1">Lets see how the attacker was able to gain access as the admin user to the manager site. By viewing the tomcat-users.xml file, we can see that the default username is being used.
">--">
ocs-internal-guid-44177342-cddb-b5f0-3370-1ae13640d4b3">">filename: ">">">">">">kill.sh
">filepath: ">/lib/udev
">23.234.60.143 (C.rar download every 30 min)
--
Tom Webb
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.ITWeb | Information security: How does SA measure up? ITWeb There is a general lack of security awareness globally among businesses' operational staff that is leading to information security risk. Top level management does not understand the risks associated with a breach, and is unable to see the business ... |
Cisco released an advisory revealing a critical vulnerability in Ciscos ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)
[Update] Also see this writeup with LOTS of details"> crypto map | include interface
is vulnerable if a crypto map is returned.
There is no workaround, but Cisco has released patched firmware for affected devices.
[1]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
Infosec pros still pressured to release unsecure projects: Survey IT World Canada Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren't fully secure, according to an international survey. The survey, paid for by Trustwave ... |
I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current beta version of the software. Feedback is very much appreciated. To get started:
Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 [email protected][your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot.
In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your routers DMZ feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes.
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday.
Identity thieves made the haul by using taxpayers' personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them.
No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.
Read 3 remaining paragraphs | Comments
by Cassandra Khaw
Google has confirmed a number of changes to Gmail with the arrival of two new features that will let you know if the people you’re corresponding with aren’t hip with TLS encryption.
The alterations are fairly subtle: when you receive a message from, or are on the brink of sending a message to, someone using a service that doesn’t support encryption, you’ll see a broken lock in the top-right of the screen. Clicking on the icon will bring up a pop-up alert with an explanation and a warning to perhaps consider removing the offending recipient.
Likewise, if you receive a message that can’t be authenticated, you won’t be hit by klaxon alarms. Instead, Gmail will replace the sender's profile photo with an incriminating question mark, identifying them as potentially suspicious. What you do with that information after that, of course, is entirely up to you. Despite the advent of this new warning system, Google stresses that not all affected messages are necessarily harmful. It's just better to practice caution.
Read 3 remaining paragraphs | Comments
On Wednesday, Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) introduced a new bill in Congress that attempts to halt state-level efforts that would weaken encryption.
The federal bill comes just weeks after two nearly identical state bills in New York state and California proposed to ban the sale of modern smartphones equipped with strong crypto that cannot be unlocked by the manufacturer. If the state bills are signed into law, current iPhone and Android phones would need to be substantially redesigned for those two states.
Lieu and Farenthold’s federal bill would need to pass both the House of Representatives and the Senate as well as be signed by the president in order to take effect. If that happens before the state bills are enacted, it would pre-empt them.
Read 23 remaining paragraphs | Comments
